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Abstract. An AES-like lightweight block cipher, namely Zorro, was 
proposed in CHES 2013. While it has a 16-byte state, it uses only 4 
S-Boxes per round. This weak nonlinearity was widely criticized, insofar 
as it has been directly exploited in all the attacks on Zorro reported by 
now, including the weak key, reduced round, and even full round attacks. 
In this paper, Using some observations discovered by Wang et. al., we 
present new differential and linear attacks on Zorro, both of which recover 
the full secret key with practical complexity. These attacks are based on 
very efficient distinguishers that have only two active sboxes per four 
rounds. The time complexity of our differential and linear attacks are 
2 52 ' 74 and 2 57 ' 85 and the data complexity are 2 55 15 chosen plaintexts 
and 2 45 ' 44 known plaintexts, respectively. The results clearly show that 
the block cipher Zorro does not have enough security against differential 
and linear crypt analysis. 

Keywords: Zorro, Lightweight Block Cipher, Differential Cryptanlysis, 
Linear Cryptanlysis. 

1 Introduction 

Block ciphers are the most widely-studied primitives in the area of symmetric 
cryptography. Among the different types of attacks, differential cryptanalysis 
[1] and linear cryptanalysis [2] can be regarded as two of the oldest and most 
important statistical methods to analyse the security of the block ciphers. 

Zorro is a newly proposed lightweight block cipher whose design is based on 
AES [4] . It is basically designed with the aim of increasing the resistance against 
side-channel attacks while still remaining a lightweight block cipher. In spite 
of its 16-byte state, the SubByte layer of Zorro uses only 4 similar S-Boxes in 
the first row, which are different from AES S-Boxes. Similar to LED-64 [5], key 
addition layer in Zorro is applied only after each four rounds. Besides, Shift Row 
and Mix Column layers are exactly the same as AES ones. 

For both differential and linear cryptanalysis, desingers have evaluated the 
security of the cipher and found a balance between the number of inactive S- 
Boxcs and the number of freedom degrees for differential or linear paths. The 
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designers concluded that 14 and 16 rounds are upper bound for any non-trivial 
differential or linear characteristics, respectively. Furthermore, they show that 
in the single key model of Zorro, a 12 round meet-in-the-middle attack is the 
most powerful attack. 

1.1 Related work 

During the past year, Zorro has attracted the attention of many cryptanalists 
and some attacks have been lunched against it by now. The first one, proposed 
by Guo, is a key recovery attack on the full-round version of the algorithm, but 
it works only for 2 64 weak keys of the whole key space 2 128 [6]. 

In the next attack, Wang et. al. presented a differential key recovery attack 
and a linear distinguisher for full-round Zorro. They observed an interesting 
property for the Zorro's MixColumn: the forth power of the MDS matrix is 
equal to the identity matrix. Using this property of Zorro along with its weak 
nonlincarity, they found differential and linear distinguishers for Zorro in which 
only four S-Boxes are activated per four round. The resulted differential crypt- 
analysis can recover the randomly chosen key with time complexity of 2 108 and 
data complexity of 2 112A chosen plaintexts, and linear distinguisher use 2 105 3 
known plaintexts to successfully distinguish it from the random permutation [7] . 

Finally, Soleimany proposed a probabilistic variation of slide attack and ap- 
plied it to 16 rounds of Zorro (out of 24 rounds) [8]. This attack requires 2 123 ' 62 
known plaintexts with the time complexity of 2 1238 encryptions or 2 121,59 known 
plaintexts with time complexity of 2 12423 encryptions. 

Very recently, Dunkelman et. al. briefly reported their new results on Zorro in 
FSET4 rump session which is an improvement of Wang's differential and linear 
attacks [9]. As they stated, the gain of their attack is not in the probability of 
distinguishers since the new distinguishers still have two active S-boxes per two 
rounds (i.e. one Sbox per round in average which is similar to that of Wang's 
attack). Instead, they achieved some improvements in the key recovery phase. 
Consequently, a differential attack with time and data complexity of 2 98 and 2 95 , 
and a linear attack with time and data complexity of 2 88 and 2 83 3 are resulted. 

1.2 Our contributions 

In this paper, we break the full-round version of Zorro by using differential and 
linear cryptanalysis. Alongside the weak nonlinearity of Zorro (i.e. the limited 
number of S-Boxes in each round) , we use the fact discovered in [7] that the fourth 
power of MDS matrix is equal to the identity matrix. We propose very efficient 
iterated differential characteristics and linear trails that have only two active 
S-Boxes per four round. Using the 23, 22 and 21-round differential characteristic 
and linear trail, we can propose a key recovery attack for any randomly chosen 
secret key of full-round Zorro. Differential cryptanalysis has a time complexity 
of 2 52 74 full round encryption and data complexity of 2 55 15 chosen plaintexts. 
And linear cryptanalysis has a time complexity of 2 57 85 full round encryption 
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and data complexity of 2 45 44 known plaintexts. Either in differential cryptanal- 
ysis or in linear cryptanalysis memory complexity is 2 17 . Tab. 1 summarizes the 
complexities of existing attacks and ours. Our results show that the theoreti- 
cal security of the full-round Zorro evaluated by designers does not hold up in 
practice. 



Table 1. Summary of cryptanalytic results on Zorro 



Attack Type 


Rounds attacked 


Time 


Data 


Memory 


Ref. 


Differential 


Full-round* 


2 b4.3 


2& 4.a cp 


2 54.3 


[6] 


Statistical Slide 


16 (out of 24) 


2123.8 






[8] 


Statistical Slide 


16 (out of 24) 




2 iai.b« cp 




[8] 


Linear (Distinguisher) 


Full-round 


2105.H 


2 iub.a cp 




[7] 


Differential 


Full-round 


2 1U8 


2 112.4 cp 




[7] 


Differential 


Full-round 


2 98 


2 9 0 Qp 




[9] 


Linear 


Full-round 


2*8 


2*3.3 K p 


2 8U 


[9] 


Differential 


Full-round 


252.74 


2 55.15 C p 


2 17 


Sec. 3 


Linear 


Full-round 


267.85 


2 45.44 Kp 


2 1V 


Sec. 4 



*This attack works only for 2 b4 keys of the whole key space 2 1 



CP: Chosen Plaintext, KP: Known Plaintext. 



1.3 Outline 

This paper is organized as follows: Section 2 presents a brief description of Zorro. 
Section 3 represents the outline of the differential attack on full-round Zorro with 
all details and evaluates its complexities. Also outline and detail of linear attack 
and evaluation of its complexities are presented in Section 4. Finally, Section 5 
concludes this paper. 

2 A Brief Description of Zorro 

The block cipher Zorro has a 128-bit key and a 128-bit block size. It has 24 
rounds which is divided into 6 steps of 4 rounds each. 

As in AES-128, the internal state in Zorro is a 4x4 matrix of bytes, and 
every round consists of four transformations: 

1. SB* is the S-Box layer where only 4 similar S-Boxes, which are different 
from AES S-Boxes, are applied to the 4 bytes of the first row in the state 
matrix. 

2. AC is the addition of round constants. Specifically, in round i the four 
constants (i, i, i, i << 3) are added to the four bytes of the first row. 

3. SR is similar to AES ShiftRow. 

4. MC is similar to AES MixCol. 
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The key schedule of Zorro is similar to that of LED. Before the first and after 
each step (i.e. each four rounds), the master key is xored to the state. 

As Wang argued in [7], by focusing on MC layer used in Zorro, we will see 
an exclusive feature of this layer. The fourth power of MC matrix equals the 
identity matrix. 



Since only 4 S-Boxes are applied to the first row in each round, combined 
with these features of MDS matrix iterated differential characteristics and linear 
trails are found for one step of Zorro. 

3 Differential Cryptanalysis 

In this section, we first find some iterated differential characteristics for one 
step of Zorro with high probability. Then, using the conventional assumption 
that the step functions are independent [7], we will construct three groups of 
distinguishcrs for 23, 22 and 21 rounds of Zorro. The first distinguisher is used 
in the first phase of the key recovery attack to reduce the key space of 2 128 to 
2 96 . Having recovered 32 bits of key in the first phase, we use the second and 
third distinguishers in the next two phases to recover 64 more bits of the key. 
Finally the 32 remaining bits of key are retrieved by an exhaustive search. 

3.1 Iterated Differential Characteristic 

In order to find an efficient iterated differential characteristic for one step of Zorro 
with the minimum number of active S-Boxes, we enjoy the maximum flexibility 
in the input difference. To minimize the number of active S-Boxes, it is sensible 
to set the difference of the first row equal to zero and to bypass the influence 
of SR transformation, we set the differences of the third and fourth columns 
equal to that of first and second ones, respectively. We do not impose any more 
conditions on the remaining six bytes now and let their dependency be utilized in 
minimizing the number of active S-Boxes in the next rounds. We can extend this 
input difference to four rounds with only two active S-Boxes as shown in Fig. 1. 
In this figure the AC transformation is omitted since it does not have any affect 
on the differentials. The active S-Boxes are shown in gray whose difference value 
is written inside. For attaining such a differential characteristic, some conditions 
in MC transformations between states (#3, #4), (#6, #7), (#12, #1), as well 
as two conditions for SB* transformation between states (#10, #11) must be 
satisfied. Satisfying mentioned MC conditions results in 24 independent linear 
equations in 26 variables A,...,Z. Hence, after some simplifications, we can 
represent all the variables based on A and B: 



M 



[02 03 01 01 \ 
01 02 03 01 
01 01 02 03 

\03 01 01 02 / 




00 00 01 00 
\00 00 00 01 / 



(1) 



Total Break of Zorro using Linear and Differential Attacks 



# 


1 










A 


B 


A 


B 


C 


D 


C 


D 


E 


F 


E 


F 



#4 



#7 











G 


H 


G 


H 


1 


J 


1 


J 


K 


L 


K 


L 











M 


N 


M 


N 


0 


P 


0 


P 


Q 


R 


Q 


R 



#10 



,S B" 



SB' 



#2 











A 


B 


A 


B 


C 


D 


C 


D 


E 


F 


E 


F 



#5 



#8 











G 


H 


G 


H 


1 


J 


1 


J 


K 


L 


K 


L 











M 


N 


M 


N 


0 


P 


0 


P 


Q 


R 


Q 


R 



#11 





3 










B 


A 


B 


A 


C 


D 


C 


D 


F 


E 


F 


E 



#6 



G H 



K L 



#9 











N 


M 


N 


M 


0 


P 


0 


P 


R 


Q 


R 


Q 



#12 



s 


T 


s 


T 




s 


T 


s 


T 




S 


T 


S 


T 


u 


V 


u 


V 




u 


V 


u 


V 


SB. 


V 


U 


V 


U 


w 


X 


w 


X 


w 


X 


w 


X 


w 


X 


w 


X 


Y 


Z 


Y 


Z 




Y 


Z 


Y 


Z 




z 


Y 


z 


Y 



#4 











G 


H 


G 


H 


1 


J 




J 


K 


L 


K 


L 


#7 










M 


N 


M 


N 


0 


P 


0 


P 


Q 


R 


Q 


R 


#: 


L0 


s 


T 


s 


T 


u 


V 


u 


V 


w 


X 


w 


X 


Y 


z 


Y 


Z 


#1 










A 


B 


A 


B 


C 


D 


C 


D 


E 


F 


E 


F 



Fig. 1. Iterated differential characteristic of one step of Zorro 
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Now let's focus on the SB* transformation of the fourth round. We need 
that for all the four active S-Boxes, each output difference equals its own input 
difference. Suppose this happens with the probability of p. Then, 



where DP(a — > (3) is the differential probability of S-Box with input difference a 
and output difference /?. We will try to maximize p. Also, we still have 2 degrees 
of freedom, A and 5. So we can set one of S or T to zero and confine the number 
of active S-Boxes to two, per four rounds. Let 



Hence, for the best probability of the proposed 4-round differential characteristic 



According to DDT of S-Box, the maximum probability is equal to P^ r — (6/256) 2 = 
2-10.83 anc j t nere are three choices for x to achieve this value. Considering the 
two cases of S = 0 or T = 0, there would be, in total, six options for the in- 
put difference to construct a differential with this maximum probability. These 
differentials are shown in Table 2. Furthermore, similar to [7], we can replace 
the difference of state #1 by that of #4, #7 or #10, to get new sets of iterated 
differential characteristics. 

3.2 Key recovery 

The full key recovery attack on full-round Zorro proceeds in three phase. In each 
phase, we recover 32 bits of the secret key. 

Phase 1. Recovering the 32 Bits of Key. Using each of the six 4-round 
iterated differentials introduced in Tab. 2, we can construct a 23-round (= 5 
steps + 3 rounds) differential characteristics with probability of 



p = DP(S -> S) 2 x DP(T -> Tf 



(2) 




(3) 



Pi r = max DP(x — > x) 2 

l<x<255 



(4) 



523r — {Pir) 5 x 5 3r — 2 



,-10.83x5 



= 2 



-54.15 



(5) 
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Table 2. Six iterated differential characteristics for one step 
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Note that the last three rounds of this characteristics have no cost in probability, 
i.e. P% r = 1. Since i"23r is too far from that of a Pseudo Random Permutation, 
Pprp = 2~ 128 , such a 23-round distinguisher can be successfully used to distin- 
guish the correct key from the wrong key in a 24-round attack. 

In the following, we explain a key recovery attack on full round Zorro which 
extracts 32 bits information of the secret key K. Similar to [7], a structure attack 
which merge all the six differential characteristics simultaneously requires less 
data here. We also change the order of MC and AK in the last round where the 
equivalent key K' = MC _1 (if) is added before MC. In fact, this attack recovers 
32 bits of the first row of K' , each of which is a linear function of K , in two 
(potentially simultaneous) procedures: In the first one, we find the second and 
fourth bytes of first row by using iterated differential characteristics respected to 
No. 1, 3 and 5 of Tab. 2; In the other one, the first and third bytes are recovered 
respected to No. 2, 4 and 6 of Tab. 2. At the end, we will come up with 2 96 key 
candidates for the whole 128-bit key. 

Step 1. Choosing the Plaintext Pairs 

Our Attack is a structural chosen plaintext attack, where we choose some 
structures and all the plaintexts in every structure are queried from the 
encryption oracle to get the corresponding ciphcrtexts. Suppose that we 
construct M structures which, in total, give N differential pairs with the 
difference according to #1. The precise relation between M and N can be 
found in Appendix A. 

Step 2. Filtering the Ciphertext Pairs 

Partially decrypt all the N ciphertext pairs generated in Step 1 to get their 
corresponding difference in the output of SB* of round 24. Keep only those 
pairs that satisfy the condition in the third row of #10 as well as the two zero 
differences in the first row (see Fig. 2.). For a pseudo random permutation, 
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Fig. 2. Differential characteristics on 23-round Zorro 



this happens with the probability of 2 -112 . Whereas for Zorro this probability 
is 2~ 54 - 15 . Therefore, it remains about Nx 2 -54 - 15 pairs of data to distinguish 
the right key from the wrong keys. 
Step 3. Recovering 16 bits of K' 

Guess the two bytes of the first row of K' corresponding to those two active 
S-Boxes, and partially decrypt the remaining pairs to get their differences 
in the first row of the input of round 24. If it is consistent with that of 
#1, increase the corresponding counter of the guessed key. There are N x 
2-54.15 differential pairs to distinguish the right key from the wrong keys. An 
incorrect key is suggested with a probability of 2 -16 while it is about one for 
the right key. Utilizing the probability differences between the correct key 
and incorrect keys, we can extract the correct candidates for secret key. By 
this procedure we find two Bytes of K' in the first row. A similar procedure 
can be repeated for the other two active S-Boxes to find the other two bytes 
in the first row. 



Phase 2 Si 3. Recovering the 96 Remaining Key Bits If we replace 
the state of #1 by #4 or #7 in Figure 1, we will come up with another 6 
iterated differential characteristics, which can be used to construct 22 or 21- 
round differential characteristics with the same probability of Pr22-round = 
Pr2i~round = 2~ 54 - 15 . So, we need the same number of differential pairs (N) to 
distinguish the right key from the wrong keys. 
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The steps of Phase 2 are similar to that of Phase 1 with two minor differences: 
In Step 2, the ciphertext differences are filtered based on their partially decrypted 
values in the output of SB* transformation in round 23 (rather than 24). Thanks 
to the 32 bits of K' retrieved in Phase 1, this can be performed. In Step 3, We 
need to guess 16 bits of AT", where K" = MC'- 1 (SR- 1 (K / with all bits 0 in the 
first row)). 

In this phase, we partially decrypt all the ciphcrtcxts in the structure for one 
round . But in AC layer, in addition to round constant, we add bitwisely the 
first row of K' which was found in Phase 1, and continue the rest of the attack 
similar to Phase 1. We guess all the 2 16 keys involved in active S-Boxes, and 
repeat this procedure once more to get the other 2 16 key bits. So, we can finally 
find 32 bits of the first row of K" . 

Also in Phase 3, we make use of 21-round differentials and find the third 32 
bits of AT'", where K 1 " = MC'-^SR-^K" with all bits 0 in the first row)). We 
do similar to Phase 2, except that at first all the ciphertexts in the structure 
are partially decrypted for two rounds, and in AC layers, in addition to round 
constant, we add the first row of K' in round 23, and the first row of AT" in 
round 22. 

Finally, by using the information retrieved from K' , K" and K'" , we end up 
with only 2 32 candidates for the 128-bit secret key K. With a exhaustive search 
on these 2 32 key, we can find the whole 128 bits of secret key. 



3.3 Complexities 

1. Time Complexity 

For Phase 1, in Step 2, we need to partially decrypt each remaining pair 
for less than one round. Therefore it takes about N x 2~ 54 - 15 /24 full-round 
Zorro encryption. Step 3 requires less than one round encryption for N x 
2-54.15 x 2 ie times. Thus the time complexity for finding 32 bits of K' is 
about 

T phA = 2 x N x 1/24 x (1 + 2~ 54 ' 15 x 2 16 ) ~ N/12 (6) 

full- round Zorro encryption. As described in [1] and [3], for a differential 
attack with differential characteristics with probability of p, about c/p dif- 
ferential pairs are needed to distinguish the right key from the wrong keys, 
where c is a small constant. These all results that N is smaller than 2 54 15 
and time complexity is about T p h.i = 2 50 57 full-round Zorro encryptions. 
Similar to what explained for Phase 1, for the other two phases we have: 

Tp h .2 = N x 1/24 x (1 + 2 x (1 + 2" 54 ' 15 x 2 16 )) ~ N/8 (7) 
T p h.3 = N x 1/24 x (2 + 2 x (1 + 2~ 54 - 15 x 2 16 )) ~ N/6 (8) 

All in all, the time complexity for the key recovery attack on full-round Zorro 
would be T = Tph.! + T ph . 2 + T ph . 3 + 2 32 = 2 52 ' 74 

2. Data Complexity 

For the both attack procedures presented in Phase 1, we need in total 2A^ 
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differential pairs. According to Appendix A, we have x = 6 hence each 
structure has 2 6 plaintexts and 2N — 6 x 2 5 M where M is the number of 
structures. So the Data complexity of this phase would be D ph A = 2/3 x N ~ 

253.57 

The other two phases require also D p h.\ — D p h.2 — 2 53 57 chosen data, so for 
the full key recovery attack we need about D = 3 x 2 53 57 ~ 2 55 15 chosen 
plaintexts. 
3. Memory Complexity 

The memory required for all the three phases of the attack is used to keep 
the counters of the two 16-bit keys. For the simultaneous attack procedures 
in three phases, it is Mem. = 2 x 2 16 = 2 17 counters. Note that the mem- 
ory required for keeping each structure pairs is negligible. So, the memory 
complexity is independent of N. 

4 Linear Cryptanalysis 

The procedure of linear attack is very similar to that of differential attack, pre- 
sented in Sec. 3. We first try to find iterated linear trails with a high correlation 
for one step of the algorithm. Then we make use of this trail to construct 23, 22 
and 21-round linear distinguishcrs, which are used for a key recovery attack on 
the full-round Zorro. 

4.1 Iterated Linear Trail 

Same as the way of finding iterated differential characteristics in section 3.1., 
we can find iterated linear trails for Zorro. There exists some iterated linear 
trials for one step of Zorro whose patterns are identical to that of differential 
characteristics given in Fig. 1, where the gray bytes are the ones with a non- 
zero mask. Satisfying MixColumn transformation between states of (#3, #4) , 
(#6, #7) and (#12, #1), the following conditions are forced on the mask values 
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Q®8R 

8Q(BR 

3Q0 4i? 

4Q0 3i? 

Q(S5R 

5Q®R 

2Q®3R 
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L = 




)2i? 


M = 


2QQ 


)i? 


N = 


Q® 


2R 


O = 


P = 


Q(BR 


s = 


20Q 


e 4i? 


T = 


4QQ 


)20R 


U = 


7QQ 


)24R 


V = 


2AQ 


e 7R 


W = 


17Q 


0 5i? 


X = 


5QQ 


3 17 R 


Y = 


6QQ 


)3LR 


Z = 


31Q 


e qr 



Since the only nonlinear parts involved in this trail are the active S-Boxes of 
state #10, the absolute correlation |c| of this four round trail is: 

|c| = C(S,S) 2 x C(T,T) 2 (9) 

where C(a,/3) is the linear correlation of Zorro S-Box with input mask a and 
output mask /3. Again, we have 2 degrees of freedom, Q and R to maximize \c\. 
So we can set one of £ or T to zero. 

(S = 0^R = 5Q 

\T = 0^Q = 5R [ ' 



which in two cases yields 



|c 4r | = max C(x,x) 2 . (11) 

Ka;<255 



After searching the LAT of Zorro S-box, the largest linear correlation occurs 
when x = 136. With this setting the absolute of the corresponding correlation 
would be |c4 r | = (28/128) 2 ~ 2~ 4 - 39 . Also, we can find new linear trails with the 
same correlation, if we change the relative location of #1 with #4, #7 or #10. 
The masking values A, . . . , Z in Fig. 1 are given in Tab. 3. 



4.2 Key recovery 

Similar to that of differential attack, the full key recovery attack on full-round 
Zorro proceeds in three phase. In each phase, we recover 32 bits of the of secret 
key. 



Phase 1. Recovering the 32 Bits of Key. Using each of the two 4-round 
iterated linear trails in Tab. 3, we can construct a 23-round (= 5 steps + 3 
rounds) linear trail with the correlation of 

|C 23 ,| = M 5 X | C3r | = 2- 4 ' 39x5 = 2- 21 - 93 (12) 
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Table 3. Two iterated linear trails for one step 



Number 


A 


B 


C 


D 


E 


F 


G 


H 


I 


.1 


K 


L 


M 


1 


177 


97 


227 


227 


191 


126 


130 


126 


34 


0 


126 


251 


160 


2 


97 


177 


227 


227 


126 


191 


126 


130 


0 


34 


251 


126 


52 



Number 


N 


0 


P 


Q 


R 


S 


T 


U 


V 


W 


X 


Y 


Z 


1 


52 


133 


133 


234 


234 


0 


136 


95 


37 


0 


170 


163 


234 


2 


152 


133 


133 


234 


234 


136 


0 


37 


95 


170 


0 


234 


163 



This 23-round linear trail is similar to the 23-round differential chararcteristic 
given in Fig. 2. Since \c2z r \ is much larger than that of a Pseudo Random Per- 
mutation, |cp_rp| = 0, such a 23-round distinguisher can be successfully used to 
distinguish the correct key from the wrong key in a 24-round attack. 

In the following, we explain a key recovery attack on full round Zorro which 
extracts 32 bits of the first row of K' , in two sequential procedures: First, we 
find the second and fourth bytes of the first row of K' by using iterated linear 
trails respected to No. 1 of Tab. 3. Then, first and third bytes of key respected 
to No. 2 of Tab. 3 gets found. 

With the assumption that the secret key is randomly chosen from the whole 
key space, the amount of plaintext/ciphcrtcxt pairs required for this attack would 
be N L = l/|c 23r | 2 ~ 2 43 85 as discussed in [2] and [3]. The steps of this phase of 
attack arc as follows: 



Step 1. Data Collection 

Ask the corresponding ciphertexts of Nl randomly generated plaintexts from 

the encryption oracle. 
Step 2. Data Processing 

Compute 

a — ^#1 ' P © P#W,rows 2,3,4 ' C r ows 2,3,4 (13) 

where P is the plaintext, C is the one-round partially decrypted ciphertext, 
• represent the dot product, and I# n is the linear mask for state #n in No.l 
linear trail given in Tab. 3. 
Step 3. Recovering the second and fourth bytes of K' 

Guess the second and fourth bytes of K' , partially decrypt the ciphertext to 
get the first row of C for every 2 16 guesses. Compute 



#10, row 



1 ' C 'row 1 ( 14 ) 



If a = (3, increase the counter of the corresponding guessed key. 
Step 4. Recovering the first and third bytes of K' 

Repeat Steps 2 and 3 for these two bytes of key. 



At the end of this procedure, all the four bytes of K n s first row are introduced. 
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Phase 2 & 3. Recovering the 96 Remaining Key Bits Look like full-key 
recovery attack in Phase 2 and 3 of differential cryptanalysis, we use 22 and 
21-round linear distinguishcrs with c 2 2 r = Ci\r = 2~ 21 ' 93 which works with an 
amount of Nl = 2 43 85 known plaintexts. After reducing the key candidates to 

2 32 

we do a exhaustive search on the key candidates to get the secret key. 

Complexities 

1. Time Complexity 

We actually separated Steps 2 and 3 to avoid some unnecessary repetitions 
in attack computations in practice. But, to evaluate the time complexity of 
the attack, we ignore this improvement and give an upper bound for the 
time complexity assuming that Step 2 is merged with Step 3. 

T p h.i = N L x 2 x 2 16 x 1/24 = 2 56 ' 27 . (15) 

T ph .2 = Nl x 1/24 x (1 + 2 x 2 16 )) ~ 2 56 ' 27 (16) 
Tph.3 = Nl x 1/24 x (2 + 2 x 2 16 )) ~ 2 56 ' 27 (17) 

2. Data Complexity 

As mentioned before, for each phase we need about Nl — 2 43,85 known 
plaintexts. 

3. Memory Complexity 

Since the procedure of recovering the two 16 bits of first row of K 1 are 
performed in parallel, it is necessary to have enough memory for each 2 x 2 16 
keys, which is independent of Nl- 

All in all, the time, data and memory complexity for the proposed key re- 
covery attack on full-round Zorro are 2 57 - 85 , 2 45 44 , and 2 17 , respectively. 

5 Conclusions 

In this paper, we presented how to break the full-round version of Zorro by using 
differential and linear cryptanalysis with practical complexities. These attacks 
works for all the key space and make use of 23, 22 and 21-round differential 
characteristics or linear trails. Our results on these two attacks show a trade-of 
between the time and data complexity: While differential cryptanalysis has a 
time complexity of 2 52 74 full round encryption and data complexity of 2 55 15 
chosen plaintexts, linear cryptanalysis has a time complexity of 2 57 85 full round 
encryption and data complexity of 2 45 44 known plaintexts. As far as we know, 
this is the first practical attack on full-round Zorro which along with the previous 
cryptanalyses shows that the low nonlinearity in the design of Zorro obviously 
has sacrificed the security for efficiency. 
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Appendix A. Structural Chosen Plaintext 

Assume that we have x > 2 differential characteristics and we are going to choose 
minimum number of plaintexts that provide enough pairs for these x differential 
characteristics. Let's define a graph in which the vertexes are the plaintexts and 
the edges are the valid differential pairs. For any node we have x edges and the 
number of nodes are 2 X . So, we have x x 2 X ~ 1 differential plaintext pairs, in 
total. Thus, the ratio of the chosen plaintexts to the differential plaintext pair 
in a stracture is 2/x. This method is an extension of what proposed in [7] for 
generating data. 
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